Lock down services to LAN

2025-04-22 13:40:41 -05:00 · 2025-04-22 13:40:41 -05:00 · b27d748e30
commit b27d748e30
parent 2034274ee0
3 changed files with 22 additions and 24 deletions
--- a/nix/application/containers.nix
+++ b/nix/application/containers.nix
@ -1,13 +1,5 @@
 { config, lib, pkgs, ... }:
 {
-  environment.etc."containers/containers.conf".text = lib.mkForce ''
-    [engine]
-    init_path = "${pkgs.catatonit}/bin/catatonit"
-
-    [network]
-    network_backend = "cni"
-    cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"]
-  '';
  virtualisation.oci-containers = {
    containers = {

--- a/nix/application/headscale.nix
+++ b/nix/application/headscale.nix
@ -4,7 +4,10 @@
    address = "0.0.0.0";
    port = 35893;
    settings = { 
-      dns.base_domain = "vpn.matri.cx";
+      dns = {
+        base_domain = "vpn.matri.cx";
+        nameservers.global = ["192.168.0.130" "1.1.1.1"];
+      };
      logtail.enabled = false; 
      noise.private_key_path = "/var/lib/headscale/noise_private.key";
      server_url = "https://vpn.matri.cx:443";
@ -12,11 +15,8 @@
  };
  services.tailscale = {
    enable = true;
-    extraSetFlags = [
-      "--advertise-exit-node"
-    ];
    extraUpFlags = [
-      "--advertise-tags=tag:home-server"
+      "--accept-routes" "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" "--login-server=https://vpn.matri.cx"
    ];
    useRoutingFeatures = "both";
  };
--- a/nix/application/nginx.nix
+++ b/nix/application/nginx.nix
@ -33,20 +33,23 @@
          };
        };

-        proxiedLAN = { target }: base {
+        proxiedLAN = { target, extra ? ""}: base {
          "/" = {
            proxyPass = target;
-            extraConfig = ''
-              allow 192.168.0.0/24;
-              deny all;
-            '';
+            extraConfig = allowedLANAddrs + extra;
          };
        };
+
+        allowedLANAddrs = ''
+          allow 127.0.0.1;
+          allow 192.168.0.0/24;
+          allow 100.64.0.0/24;
+          deny all;
+        '';
      in
      {
        "default.host" = { default = true; root = "/var/www/default";};
        "atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; };
-        "brohan.lol" = static { dir = "/var/www/brohan.lol"; };
        "cache.matri.cx" = proxiedLAN {
          target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
        };
@ -59,10 +62,13 @@
          '';
        };
        "eversole.co" = proxied { target = "http://127.0.0.1:5196"; };
-        "flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; };
+        "flux.matri.cx" = proxiedLAN { target = "http://127.0.0.1:26343"; };
        "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; };
-        "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
-        "hydra.matri.cx" = proxied {
+        "graf.matri.cx" = { # refer to /monitoring/nginx.nix
+          root = "/var/www/graf.matri.cx";
+          extraConfig = allowedLANAddrs;
+        };
+        "hydra.matri.cx" = proxiedLAN {
          target = "http://127.0.0.1:3034";
          extra = ''
            proxy_set_header X-Request-Base "https://hydra.matri.cx";
@ -70,9 +76,9 @@
        };
        "jame.su" = static { dir = "/var/www/jame.su"; };
        "matri.cx" = static { dir = "/var/www/matri.cx"; };
-        "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
+        "media.matri.cx" = proxiedLAN { target = "http://127.0.0.1:8096"; };
        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
-        "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
+        "pw.eversole.co" = proxiedLAN { target = "http://127.0.0.1:40080"; };
        "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
        "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
        "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };